Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
20
Global rank
38 infographic chevron month
Month rank
29 infographic chevron week
Week rank
0
IOCs

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018.

Trojan
Type
ex-USSR
Origin
1 December, 2018
First seen
21 December, 2024
Last seen

How to analyze Vidar with ANY.RUN

Type
ex-USSR
Origin
1 December, 2018
First seen
21 December, 2024
Last seen

IOCs

IP addresses
95.216.180.153
45.84.1.88
URLs
http://ip-api.com/line/
https://steamcommunity.com/profiles/76561199809363512
https://t.me/k04ael
https://t.me/pech0nk
https://steamcommunity.com/profiles/76561199751190313
https://t.me/ae5ed
https://steamcommunity.com/profiles/76561199780418869
https://steamcommunity.com/profiles/76561199707802586
https://t.me/g067n
https://steamcommunity.com/profiles/76561199794498376
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199786602107
https://t.me/lpnjoke
https://steamcommunity.com/profiles/76561199802540894
https://t.me/fu4chmo
http://135.181.26.183/
http://49.12.117.107/
http://65.109.236.2/
https://steamcommunity.com/profiles/76561199768374681
https://t.me/edm0d
Last Seen at
Last Seen at

Recent blog posts

post image
Well done, ANY.RUN: Our Top Cybersecurity Awa...
watchers 211
comments 0
post image
How DFIR Analysts Use ANY.RUN Sandbox
watchers 303
comments 0
post image
How to Set up a Windows 11 Malware Sandbox
watchers 1110
comments 0

What is Vidar malware?

Vidar is an information stealer trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected systems, take screenshots, steal cryptocurrency, and more.

General description of Vidar malware

Vidar is presumed to have originated in a Russian-speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another cyber threat that is available for purchase based on the MaaS (Malware-as-a-Service) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

According to the Vidar trojan analysis, malware is written in the C++ programming language. Purchasing account grants the attacker access to a control panel where the cybercriminal can set up the infostealer malware to target particular information on the victims’ PC. Like Arkei, cybercriminals need to take precautions to secure the main payload themselves, using crypto or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that Vidar data stealer uses domain names to search for C&C servers, where stolen data is being dropped, changing every four days. Though they are steadily changing, a constant response is required.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Vidar is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information, including banking and credit card details. Based on the Vidar analysis, the stealer malware can search for cryptocurrency wallet information, take screenshots and act as a message stealer, recording private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by this infostealer malware.

After collecting all targeted information, this stealer malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar analysis

An analysis recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar and perform Vidar analysis.

arkei execution process tree

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

According to the Vidar analysis, after the user downloads and runs a malicious file, it spawns a child process and collects information from the infected system. Often, after the information was collected, the malware kills and deletes itself from the system through a command-line command.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

How to avoid infection by Vidar malware?

When spread via spam email campaigns like NanoCore or Agent Tesla, the Vidar stealer requires the user to download and run a malicious file to enter an active state and begin execution. Therefore, following some basic cybersecurity rules can ensure that users will stay safe from Vidar malware and the incident response team will work effectively.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar trojan, which uses these attack vectors to infect victims.

The distribution process of Vidar

According to the Vidar trojan analysis, Vidar is distributed through spam email campaigns as a malicious attachment, like other malware. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar infostealer targets users all over the world, except some ex-USSR countries, including Russia.

How to detect Vidar using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Vidar trojan using ANY.RUN's Static Discovering during your Vidar analysis. Open either the "Files" tab in the lower part of the task's window or click on the process and then on the "More Info" button in the appeared window. After that, all you need to do is click on the file.

arkei vidar log file Figure 3: Vidar's log file

Conclusion

Vidar is a hazardous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including stealing select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures and incident response.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More